Patch for Apache Struts closes two holes
Apache Struts, an open source framework for Java-based web applications, has been found to contain two vulnerabilities. A directory traversal vulnerability in the "FilterDispatcher" and "DefaultStaticContentLoader" classes allows attackers to traverse the server path and download files without permission. Another vulnerability allows server side objects to be manipulated using specially crafted OGNL (Object-Graph Navigation Language) commands. This problem is rated as critical by the developers.
Apache Struts versions 2.0.0 up to and including 2.0.11.2 are affected. Version 2.0.12 no longer contains the flaws and the developers urgently recommend that users update immediately.
See also:
- Work ParameterInterceptors bypass allows OGNL statement execution, security advisory by Struts
- Directory traversal vulnerability while serving static content, security advisory by Struts
(djwm)